Sunday, April 16, 2006

Treaty

As I have explained elsewhere, the major problem law enforcement faces in dealing with cybercrime is the lack of cybercrime laws in some countries and the inconsistencies that exist between cybercrime laws in other countries.

Cybercriminals can, and are, exploiting these gaps and inconsistencies to their advantage: If there is no law criminalizing, , say, the dissemination of a computer virus, then the person responsible for the virus cannot be prosecuted in his home country and cannot be extradited to be prosecuted in other countries harmed by the virus. (It is a basic principle of international law that someone cannot be handed over by Country X to Country Z for prosecution unless the conduct at issue was a crime both in Country X and Country Z; this is known as the principle of "double criminality".)

Other problems arise in the investigation of cybercrimes. Basically, under international law, Country X is not obligated to assist Country Z with the investigation of a crime committed in Country Z unless there is an agreement -- a mutual legal assistance treaty -- in effect between the two. (There are other methods by which Country Z can request assistance from Country X, but they are cumbersome and time-consuming.) Cybercriminals can exploit the lack of a treaty between two countries: A cybercriminal can set up operations in Country Z and victimize citizens of Country X, knowing that the authorities in Country Z cannot assist police from Country X in their investigation of these cybercrimes. This is a very simple example, but I hope it makes the point.

In an effort to address this problem, the Council of Europe created a committee and assigned it the task of drafting a cybercrime treaty. After some years of work, the committee produced the Convention on Cybercrime. The Convention is a lengthy document, the goal of which is to harmonize the national penal law (the law governing the definition of criminal offenses) and procedural law (the law governing criminal investigations) that deals with cybercrime. Countries that sign and ratify the Convention (a country must do both to be bound to implement the treaty) pledge to ensure that (i) their law criminalizes a baseline of cybercrime offenses, (ii) their law allows them to assist other parties to the Convention with the investigation of cybercrimes and to extradite cybercriminals in their custody and (iii) their law allows them to provide other mutual assistance to countries in the investigation and prosecution of cybercrime.

I think the Convention on Cybercrime is a very impressive document. And it seems the logical solution to the problems I noted above.

Why then, I wonder, has it been ratified by so few countries? The Convention as opened for signature on November 23, 2001. As I write this, approximately four and a half years later, it has been signed by 42 countries but only ratified by 13. The Convention does not become binding on a country until it signed and ratifies it.

Until this year, the Convention had not been ratified by any of the major European countries. I t had been ratified by smaller countries, such as Albania and Croatia, but not by the major players in Europe, the countries one would expect to have been among the first to ratify the Convention. France and Denmark finally ratified the Convention this year, but the Italy, Spain, Belgium the United Kingdom and a number of other countries still have not ratified it.

The Convention is open to non-European countries under certain conditions, one being that they were involved in its drafting. Four non-European countries -- the United States, Canada, Japan and South Africa -- signed the Convention under this condition. None of them have ratified it.

This is particularly surprising with regard to the United States, because the U.S. Department of Justice was a prime mover in the creation and drafting of the Convention on Cybercrime. The US is a major target of cybercriminals, and therefore has good reason to want global cybercrime law to become a seamless web that facilitates the investigation and prosecution of cyber-perpetrators. Indeed, the U.S. Department of Justice has for years conducted programs for countries in Asia and South America; the programs are intended to encourage them to sign and ratify the Convention by explaining the benefits of doing so and providing assistance with the legal issues involved in adopting the legislation required to implement the Convention.

So, why is the Convention languishing? I don't know. I don't know why we have not ratified it, given the effort we put into its creation. The President recommended ratification to the Senate almost two years ago, and the Senate Foreign Relations Committee recommended ratification last summer. I can only assume our failure to ratify is due, in part, to the fact that the White House is and has for some time been occupied with other matters (Iraq, Al Qaeda, Katrina, etc.). I suspect it is also due to the fact that several entities -- including the ACLU, the EFF and EPIC -- oppose ratification, on the grounds that certain provisions of the Convention are inconsistent with the civil liberties guaranteed by our Constitution.

I also wonder if the general dereliction of duty with regard to the Convention is due to the same phenomenon that happens to most of us at some point in time . . . you have to fix something around the house, fixing it will be a pain, you don't really want to do it but you go out and buy the materials you need to do the job. Then they sit . . . because you really don't want to deal with the problem . . . and you have, after all, taken the first step by picking up the materials you need.

Maybe the Convention on Cybercrime is languishing because those who care about the issues it addresses worked very hard to get the Convention drafted . . . and are now assuming it will go into effect, somewhen, and take care of the problem.